Nemesis: Preventing Web Authentication & Access Control Vulnerabilities. Michael Dalton, Christos Kozyrakis Stanford University

Size: px

Start display at page:

Download "Nemesis: Preventing Web Authentication & Access Control Vulnerabilities. Michael Dalton, Christos Kozyrakis Stanford University"

Blaze Russell
6 years ago
Views:

1 Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton, Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology

2 Web Application Overview User: Bob Op: Upload pic1.jpg User: webdb httpd Op: INSERT Write pic1.jpg pictbl DB FS FS/DB access executed with full app privileges! 2

3 Web Authentication is Broken Semantic Gap independent auth sys Web Authentication vs. DB, FS, LDAP, Webapps are effectively setuid progs All FS, DB ops have privs of webapp Not privs of webapp user (Confused Deputy) Programmer must insert auth checks Check web app user before all FS/DB op Safe only if programmer is perfect 3

4 And in the real world Programmers forget auth/acl checks Authentication/Authorization OWASP Top 10 Difficult to prevent automatically Each app has its own authentication system Apps have different privilege/acl systems Widespread, highly damaging Vulns usually result in admin access to app 4

5 Authorization Bypass Vulns Resource access without authorization Missing authorization check Incorrect authorization check if(client_authorized($_get['filename']) openfile($_get['filename'])) Add URL parameter: filename=/etc/passwd 5

6 Authentication Bypass Vulns Authentication without valid credentials URL/Cookie Validation Error Weak Crypto Ruby on Rails security-hole-found-in-rails-2-3s if (isset($_cookie['user'])) $username = $_COOKIE['user']; Edit cookie, add name/value pair: 'user=admin 6

7 Ideal Auth/ACL System Only authenticates correctly/safely No authentication bypass attacks Always enforces ACLs correctly No authorization bypass attacks Existing systems fail on both counts May authenticate unsafely if vulnerable Do not enforce ACLs automatically 7

8 Nemesis Overview Stops authentication, authorization atks Without requiring app auth code rewrites Infers when authentication done safely Use DIFT to track auth credentials Enforces ACLs automatically on file/db ACLs specify privs for web clients 8

9 Nemesis System Overview Web App 1 Web App 2 Web App 3 Core Library ACL Enforce Intercept I/O ops for File ACLs Intercept SQL ops for DB ACLs Language Interpreter DIFT Automatic auth inference 2 tag bits per object Tag prop on all object ops 9

10 Safe Authentication Inference Propagate user credential, taint bits 2 tag bits per object (String, integer, etc) Infer when auth occurs safely Tainted info compared equal to auth cred Add check to string or array comparison op Record authentication inferred user Auth bypass attacks do not change this user 10

11 Authentication Example $user = $_GET['username'] $user = mysql_real_escape_string($user) $pw = md5sum($_get['password']) T P Variable $user $pw $realpw $realpw = $db->query( SELECT pw FROM users WHERE username = + $user + ; if ($pw == $realpw) { Authenticated! 11

12 Authorization Enforcement Enforce ACLs on FS, DB access Apply to authentication inferred user Restrict DB table/row, file access Many tables store per-user rows Taint information used in some rules New user registration Password change 12

13 Attack Prevention Authorization Bypass Nemesis ACLs enforced automatically Not dependent on any app-enforced checks Authentication Bypass Auth inference not affected by attack Inference requires user input == password ACLs check inferred user Prevents access to any privileged resource!

14 Configuration Requirements Authentication inference Table/column info for auth credentials ACL enforcement ACL from sysadmin for DB, File access Future work Current configuration provided by admin Log DB, File ops along with inferred user Auto-generate ACLs from logs 14

15 Nemesis Prototype Added DIFT support to PHP interpreter Password, Taint bits for String, int, etc Assume Raksha checking OS & PHP interpreter for low-level attacks Auth inference on string comparison ==,!= operators Don t have a full SQL query rewriter Had to manually insert DB checks 15

16 Experimental Results Application Size (Lines) Auth Lines Added ACL Check Lines Added Attack Prevented Php icalendar 13, Auth Bypass PhpStat 12, Missing ACL Check Bilboblog 2, Incorrect ACL Check phpfastnews Auth Bypass Linpha Gallery 50, SQL Injection in Password Check DeluxeBB 22, Missing ACL Check No discernible performance overhead 16

17 Authenticatication Bypass: Bilboblog Internal login script internet accessible Admin username and password undefined PHP + Register Globals = Fail Undefined vars initialized by URL params Attacker supplies the admin password! Ensures the submitted password is equal 17

18 Protecting Bilboblog Vulnerable app does not perform auth Compares user input to user input Attack has no effect on shadow auth Attacker-supplied admin password is tainted Does not have user credential bit set Access to privileged resources denied ACL checks use shadow authenticated user 18

19 Authorization Bypass: DeluxeBB Forum supports private messages Stored in DB, restricted to sender/receiver Invalid access control check Malformed cookies bypass check entirely Attacker forges cookies Can read arbitrary user s private messages 19

20 Protecting DeluxeBB Nemesis does not parse app cookies Maintains its own shadow auth cookies DeluxeBB has row ACL for pm table From or To field = shadow auth user Exploit rendered harmless Only read row if From/To shadow auth user No information leaks can occur 20

21 Future Work Develop full language for ACLs Automate SQL query rewriting for ACLs Database views/triggers (see related work) MySQL Proxy Automate ACL generation Parse DB, File access logs Infer authentication rules 21

22 Conclusion Web authentication is broken Semantic gap between Web App, DB & FS Nemesis infers safe authentication When user input compared equal to password Nemesis enforces authorization ACLs apply to authentication inferred user Validated using real-world PHP Apps Prevented authentication & authorization bypass 22

Nemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications

Nemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story